When secret masking is enabled for log messages, BWC uses a static blacklist of attribute and
parameter names which are considered as secrets and tries to mask them in the log messages. By
default, this blacklist contains the following names:

API response and log message secret masking use best effort approach and as such, have multiple
limitations.

You are strongly encouraged to not rely on secret masking functionality alone, but use it in
combination with other security related primitives available in BWC such as RBAC and encrypted
datastore values (defence in depth principle).

The best approach when dealing with secrets is to store secret and / or potentially sensitive
values encrypted in a datastore. Then you should directly retrieve and decrypt those secret values
only in the actions where you need to access them.

Doing that instead of passing those values around as action parameters makes actions and workflows
a bit more tightly coupled and harder to re-use and troubleshoot, but it decreases the surface area
where those values could potentially be leaked / exposed and as such makes it more secure - you are
trading readability and re-use for security.

In addition to that, you should be careful to not use DEBUG log level or debug mode in
production deployments. When debug mode is enabled / debug log level is set all, log verbosity is
increased and a lot of data which is helpful when debugging, but could also contain sensitive
information is included in the log messages and no masking is performed.